2007-02-08: Tor 0.1.2.7-alpha is out
"This is the seventh development snapshot for the 0.1.2.x series. It makes rate limiting much more comfortable for servers, along with a huge pile of other bugfixes.
Changes in version 0.1.2.7-alpha - 2007-02-06
- Major bugfixes (rate limiting):
- Servers decline directory requests much more aggressively when they're low on bandwidth. Otherwise they end up queueing more and more directory responses, which can't be good for latency.
- But never refuse directory requests from local addresses.
- Fix a memory leak when sending a 503 response for a networkstatus request.
- Be willing to read or write on local connections (e.g. controller connections) even when the global rate limiting buckets are empty.
- If our system clock jumps back in time, don't publish a negative uptime in the descriptor. Also, don't let the global rate limiting buckets go absurdly negative.
- Flush local controller connection buffers periodically as we're writing to them, so we avoid queueing 4+ megabytes of data before trying to flush.
- Major bugfixes (NT services):
- Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a command-line flag so that admins can override the default by saying "tor --service install --user "SomeUser"". This will not affect existing installed services. Also, warn the user that the service will look for its configuration file in the service user's %appdata% directory. (We can't do the 'hardwire the user's appdata directory' trick any more, since we may not have read access to that directory.)
- Major bugfixes (other):
- Previously, we would cache up to 16 old networkstatus documents indefinitely, if they came from nontrusted authorities. Now we discard them if they are more than 10 days old.
- Fix a crash bug in the presence of DNS hijacking (reported by Andrew Del Vecchio).
- Detect and reject malformed DNS responses containing circular pointer loops.
- If exits are rare enough that we're not marking exits as guards, ignore exit bandwidth when we're deciding the required bandwidth to become a guard.
- When we're handling a directory connection tunneled over Tor, don't fill up internal memory buffers with all the data we want to tunnel; instead, only add it if the OR connection that will eventually receive it has some room for it. (This can lead to slowdowns in tunneled dir connections; a better solution will have to wait for 0.2.0.)
- Minor bugfixes (dns):
- Add some defensive programming to eventdns.c in an attempt to catch possible memory-stomping bugs.
- Detect and reject DNS replies containing IPv4 or IPv6 records with an incorrect number of bytes. (Previously, we would ignore the extra bytes.)
- Fix as-yet-unused reverse IPv6 lookup code so it sends nybbles in the correct order, and doesn't crash.
- Free memory held in recently-completed DNS lookup attempts on exit. This was not a memory leak, but may have been hiding memory leaks.
- Handle TTL values correctly on reverse DNS lookups.
- Treat failure to parse resolv.conf as an error.
- Minor bugfixes (other):
- Fix crash with "tor --list-fingerprint" (reported by seeess).
- When computing clock skew from directory HTTP headers, consider what time it was when we finished asking for the directory, not what time it is now.
- Expire socks connections if they spend too long waiting for the handshake to finish. Previously we would let them sit around for days, if the connecting application didn't close them either.
- And if the socks handshake hasn't started, don't send a "DNS resolve socks failed" handshake reply; just close it.
- Stop using C functions that OpenBSD's linker doesn't like.
- Don't launch requests for descriptors unless we have networkstatuses from at least half of the authorities. This delays the first download slightly under pathological circumstances, but can prevent us from downloading a bunch of descriptors we don't need.
- Do not log IPs with TLS failures for incoming TLS connections. (Fixes bug 382.)
- If the user asks to use invalid exit nodes, be willing to use unstable ones.
- Stop using the reserved ac_cv namespace in our configure script.
- Call stat() slightly less often; use fstat() when possible.
- Refactor the way we handle pending circuits when an OR connection completes or fails, in an attempt to fix a rare crash bug.
- Only rewrite a conn's address based on X-Forwarded-For: headers if it's a parseable public IP address; and stop adding extra quotes to the resulting address.
- Major features:
- Weight directory requests by advertised bandwidth. Now we can let servers enable write limiting but still allow most clients to succeed at their directory requests. (We still ignore weights when choosing a directory authority; I hope this is a feature.)
- Minor features:
- Create a new file ReleaseNotes which was the old ChangeLog. The new ChangeLog file now includes the summaries for all development versions too.
- Check for addresses with invalid characters at the exit as well as at the client, and warn less verbosely when they fail. You can override this by setting ServerDNSAllowNonRFC953Addresses to 1.
- Adapt a patch from goodell to let the contrib/exitlist script take arguments rather than require direct editing.
- Inform the server operator when we decide not to advertise a DirPort due to AccountingMax enabled or a low BandwidthRate. It was confusing Zax, so now we're hopefully more helpful.
- Bring us one step closer to being able to establish an encrypted directory tunnel without knowing a descriptor first. Still not ready yet. As part of the change, now assume we can use a create_fast cell if we don't know anything about a router.
- Allow exit nodes to use nameservers running on ports other than 53.
- Servers now cache reverse DNS replies.
- Add an --ignore-missing-torrc command-line option so that we can get the "use sensible defaults if the configuration file doesn't exist" behavior even when specifying a torrc location on the command line.
- Minor features (controller):
- Track reasons for OR connection failure; make these reasons available via the controller interface. (Patch from Mike Perry.)
- Add a SOCKS_BAD_HOSTNAME client status event so controllers can learn when clients are sending malformed hostnames to Tor.
- Clean up documentation for controller status events.
- Add a REMAP status to stream events to note that a stream's address has changed because of a cached address or a MapAddress directive.